Link List

Sponsored by..

Friday, 29 November 2013

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!Subject: Our analysis right on the MONEY!Subject: Seven Reasons To Love This CompanySubject: Breakout coming!Subject: Get Ready for Another Money Making New Trade Idea TomorrowSubject: What a HUGE day we had!

Over The Counter Morning Highlight! Land Your Orders In EarlyTo Gain Big!!!

The spam volumes are not as high as some previous pump-and-dump runs, and the first incident that I can see is on Saturday 23rd November, a typical approach to try to pump the market when it opens on Monday morning.

RGTX has been through a few incarnations, most recently as a firm specialising the the secure transmission of electronics documents. According to its own reports [1][2] this firm has never had an income, holds no notable cash reserves and basically borrows cash against its own intellectual property and business value. Registered Express says that it is a business in development, it is not clear if and when it will ever start to make an income.

A look at the stock charts show that shares are traded in moderate volumes. On the 21st and 22nd November (before the spam run) a total of 849,477 shares were traded, about ten times the volume of the previous two days.

We know from past experience that either the spammers or another involved part will move in and buy stock before the spam run. I estimate that about 750,000 shares were bought in this way at between $0.012 and $0.020. Since then about three million shares have been traded, presumably people being motivated by the spam run or who are simply following the increase in volume with a speculative buy.

The folks at RGTX are probably not involved in the spam run. My previous analysis on these stocks indicates that these stocks are usually in terminal decline. Buying stocks on the basis of a spammed email would be exceptionally foolish and should be avoided.

This e-mail has been sent from an automated system.PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48.

Malwr reports an attempted connection to seribeau.com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several hundred legitimate web sites on it, and it is not possible to determine if these are clean or infected.

Tuesday, 26 November 2013

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:boostprep.combyjohnwhitaker.comclermontjumps.comddghost.comgolfrangefinderpro.comharrismetals.netharrismetals.bizhemorrhoidhometreatmentremedy.comherdprogram.comhouston-heights-realtor.commigweldersforsale.orgmodelagent.comq-host.comredbrickplayers.orgroadally.orgshattertag.comskillstuff.comsleepets.comsouthlakehosting.comsugarlandtxhouses.comtreatmentforeczemaguide.comwildbounce.com

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42. Automated analysis tools [1][2][3] shows attempted connections to developmentinn.com on 38.102.226.252 (Cogent, US) and spotopia.com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or note.

Monday, 18 November 2013

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill.

Sadly, I don't know who is behind this scam, and in this case it was illegally sent to a TPS-registered number.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO who may be able to take more serious action against these spammers.

There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1][2] show an attempted connection to aspenhonda.com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been hacked, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box.

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

Thursday, 14 November 2013

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Wednesday, 13 November 2013

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1][2][3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo spam similar to this:

We have received this documents from your bank, please review attached documents.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, areconfidential and are intended solely for the use of the person or entity to whom themessage was addressed. If you are not the intended recipient of this message, please beadvised that any dissemination, distribution, or use of the contents of this message isstrictly prohibited. If you received this message in error, please notify the sender.Please also permanently delete all copies of the original message and any attacheddocumentation. Thank you.

In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47 and calls home [4][5][6] to kidgrandy.com
on 184.154.15.190 (Singlehop, US).

Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter.

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies. Thank You

PayPal Email ID PP89759

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1][2][3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

I forward this file to you for review. Please open and view it.Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.It has been MIME encoded for Internet e-mail transmission.

Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.

VirusTotal detection rates are 17/47. Automated analysis tools [1][2] show an attempted connection to nishantmultistate.com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.

The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that).

Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.

The detection rate at VirusTotal is 5/45. Automated analysis tools [1][2] show an attempted connection to dchamt.com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean.

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

1.This e-mail and any files or documents transmitted with it are confidential andintended solely for the use of the intended recipient. Unauthorised use, disclosure orcopying is strictly prohibited and may be unlawful. If you have received this e-mail inerror, please notify the sender at the above address and then delete the e-mail from yoursystem. 2. If you suspect that this e-mail may have been intercepted or amended, pleasenotify the sender. 3. Any opinions expressed in this e-mail are those of the individualsender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note thatthis e-mail and any attachments have been created in the knowledge that internet e-mailis not a 100% secure communications medium. It is your responsibility to ensure that theyare actually virus free. No responsibility is accepted by QualitySolicitors Punch Robsonfor any loss or damage arising from the receipt of this e-mail or its contents.QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NUTelephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, MiddlesbroughTS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by theSolicitors Regulation Authority (57864). A full list of Partners names is available fromany of our offices. For further details, please visit our websitehttp://www.qualitysolicitors.com/punchrobson

Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.

Automated analysis tools [1][2] show that it attempts to communicate with alibra.co.uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:

a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:[donotclick]59.106.185.23/forum/viewtopic.php[donotclick]new.data.valinformatique.net/5GmVjT.exe[donotclick]hargobindtravels.com/38emc.exe[donotclick]bonway-onza.com/d9c9.exe[donotclick]friseur-freisinger.at/t5krH.exe

dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.

a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will block some legitimate sites, primarily webcams and access to home PCs.. so bear this in mind if you choose to do so.

Sites below listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL. The links go to the Google diagnostic page.

We are writing you this email in regards to your PayPal account. In accordance with our"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm youridentity by completing the attached form. Please print this form and fill in therequested information. Once you have filled out all the information on the form pleasesend it to verification@paypal.com along with a personal identification document(identity card, driving license or international passport) and a proof of addresssubmitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-D503YC19DXP3

For your protection, we might limit your account access. We apologize for anyinconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files containinformation intended for the exclusive use of the individual or entity to whom it isaddressed and may contain information belonging to the sender (PayPal , Inc.) that isproprietary, privileged, confidential and/or protected from disclosure under applicablelaw. If you are not the intended recipient, you are hereby notified that any viewing,copying, disclosure or distributions of this electronic message are violations of federallaw. Please notify the sender of any unintended recipients and delete the originalmessage without making any copies. Thank You

PayPal Email ID PP51954

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47, and automated analysis [1][2] shows an attempted connection to trc-sd.com which is the same domain seen in this attack.

DocuSign. The fastest way to get a signature. If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support. This message was sent to you by administrator@victimdomain who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.

The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47.

Automated analysis [1][2] shows a callback to trc-sd.com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP.

The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.

Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address: